Openhunting Threat Library

ELECTRICFISH

ELECTRICFISH, Alreay
(Type: Tunneling)

(US-CERT) This report provides analysis of two malicious 32-bit Windows executable file. The malware implements a custom protocol that allows traffic to be tunneled between a source and a destination Internet Protocol (IP) address. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a tunneling session. The malware can be configured with a proxy server/port and proxy username and password. This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network.

[News Analysis] Trends:

Total Trend: 6

Trend Per Year
2
2017
1
2019
3
2020


Trend Per Month
2
Apr 2017
1
May 2019
2
Feb 2020
1
May 2020



[News Analysis] News Mention Another Threat Name:

1 - BLINDTOAD65 - ELECTRICFISH23 - FastCash63 - AppleJeus23 - BADCALL23 - Bankshot63 - Brambul63 - Dtrack23 - Duuzer30 - DYEPACK23 - HARDRAIN23 - Hermes63 - HOPLIGHT63 - Joanap63 - KEYMARBLE23 - Kimsuky23 - MimiKatz23 - MyDoom23 - NACHOCHEESE23 - NavRAT63 - PowerRatankba23 - RokRAT23 - Sierra(Alfa,Bravo, ...)63 - Volgmer23 - WannaCryptor48 - Chrysaor48 - Exodus48 - Dacls48 - VPNFilter48 - DNSRat48 - Griffon48 - KopiLuwak48 - More_eggs48 - SQLRat48 - BONDUPDATER48 - Agent.BTZ48 - Anchor48 - AndroMut48 - BOOSTWRITE48 - Carbanak48 - Cobalt Strike48 - DistTrack48 - DNSpionage48 - FlawedAmmyy48 - FlawedGrace48 - Get248 - Grateful POS48 - Imminent Monitor RAT48 - jason48 - KerrDown48 - Lambert48 - LightNeuron48 - LoJax48 - MiniDuke48 - PolyglotDuke48 - Rising Sun48 - SDBbot48 - ServHelper48 - Snatch48 - Stuxnet48 - TinyMet48 - tRat48 - TrickBot48 - X-Agent48 - Zebrocy8 - Lazarus Group7 - Alreay7 - HOTWAX7 - NESTEGG7 - RatankbaPOS7 - REDSHAWL7 - WORMHOLE


[TTP Analysis] Technique Performance:



[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

APT38 Lazarus Threat Analysis Report

2020-05-04 by ADEO DFIR from ADEO DFIR

The Lazarus Constellation A study on North Korean malware

2020-02-19 by Lexfo from Lexfo

APT Report 2019

2020-02-13 by Qi Anxin Threat Intelligence Center from Qianxin

Malware Analysis Report (AR19-129A)

2019-05-09 by CISA from CISA

Lazarus under the Hood

2017-04-03 by GReAT from Kaspersky Labs

Lazarus under the Hood

2017-04-03 by GReAT from Kaspersky Labs

Basic Information (Credit @etda.or.th)

Tool: ELECTRICFISH

Names: ELECTRICFISH, Alreay

Description: (US-CERT) This report provides analysis of two malicious 32-bit Windows executable file. The malware implements a custom protocol that allows traffic to be tunneled between a source and a destination Internet Protocol (IP) address. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a tunneling session. The malware can be configured with a proxy server/port and proxy username and password. This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network.

Category: Malware

Type: Tunneling

Information: https://www.us-cert.gov/ncas/analysis-reports/ar19-252b

Information: https://securelist.com/blog/sas/77908/lazarus-under-the-hood/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.electricfish

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.alreay

Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:ElectricFish

Last-card-change: 2020-05-13

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact